Researchers from ESET have just discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry.
[su_note note_color=”#ffffcc” text_color=”#00000″]ESET Researchers:
- On December 23 2015, around half of the homes in the Ivano-Frankivsk region in Ukraine (population around 1.4 million) were left without electricity for a few hours. According to the Ukrainian news media outlet TSN, the cause of the power outage was a “hacker attack” utilizing a “virus”. Looking at ESET’s own telemetry, we have discovered that the reported case was not an isolated incident and that other energy companies in Ukraine were targeted by cybercriminals at the same time.
- In the recent attacks against electricity distribution companies in Ukraine, a destructive KillDisk trojan was downloaded and executed on systems previously infected with the BlackEnergy trojan. The link between BlackEnergy and KillDisk was first reported by CERT-UA in November. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents have been destroyed as a result of the attack.
- The attack scenario is simple: The target gets a spear-phishing e-mail that contains an attachment with a malicious document. The Ukrainian security company CyS Centrum published two screenshots of e-mails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament). The document itself contains text trying to convince the victim to run the macro in the document. This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy Lite.[/su_note]
[su_box title=”About ESET” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.